diff options
| -rw-r--r-- | ldap/servers/slapd/ssl.c | 160 |
1 files changed, 93 insertions, 67 deletions
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index fcdc492f..c546c2bd 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -473,18 +473,11 @@ slapd_nss_init(int init_ssl, int config_available) return rv; } -/* - * slapd_ssl_init() is called from main() if we plan to listen - * on a secure port. - */ -int -slapd_ssl_init() { +static int +svrcore_setup() +{ PRErrorCode errorCode; - char ** family_list; - char *val = NULL; - char cipher_string[1024]; int rv = 0; - PK11SlotInfo *slot; #ifndef _WIN32 SVRCOREStdPinObj *StdPinObj; #else @@ -492,40 +485,11 @@ slapd_ssl_init() { SVRCOREAltPinObj *AltPinObj; SVRCORENTUserPinObj *NTUserPinObj; #endif - Slapi_Entry *entry = NULL; - - /* Get general information */ - - getConfigEntry( configDN, &entry ); - - val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" ); - ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" ); - - /* We are currently using the value of sslSessionTimeout - for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */ - /* Note from Tom Weinstein on the meaning of the timeout: - - Timeouts are in seconds. '0' means use the default, which is - 24hrs for SSL3 and 100 seconds for SSL2. - */ - - if(!val) { - errorCode = PR_GetError(); - slapd_SSL_warn("Security Initialization: Failed to retrieve SSL " - "configuration information (" - SLAPI_COMPONENT_NAME_NSPR " error %d - %s): " - "nssslSessionTimeout: %s ", - errorCode, slapd_pr_strerror(errorCode), - (val ? "found" : "not found")); - slapi_ch_free((void **) &val); - slapi_ch_free((void **) &ciphers); - return -1; - } - - stimeout = atoi(val); - slapi_ch_free((void **) &val); - #ifndef _WIN32 + StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj(); + if (StdPinObj) { + return 0; /* already registered */ + } if ( SVRCORE_CreateStdPinObj(&StdPinObj, dongle_file_name, PR_TRUE) != SVRCORE_Success) { errorCode = PR_GetError(); @@ -536,6 +500,10 @@ slapd_ssl_init() { } SVRCORE_RegisterPinObj((SVRCOREPinObj *)StdPinObj); #else + AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj(); + if (AltPinObj) { + return 0; /* already registered */ + } if (SVRCORE_CreateFilePinObj(&FilePinObj, dongle_file_name) != SVRCORE_Success) { errorCode = PR_GetError(); @@ -563,6 +531,58 @@ slapd_ssl_init() { #endif /* _WIN32 */ + return rv; +} + +/* + * slapd_ssl_init() is called from main() if we plan to listen + * on a secure port. + */ +int +slapd_ssl_init() { + PRErrorCode errorCode; + char ** family_list; + char *val = NULL; + char cipher_string[1024]; + int rv = 0; + PK11SlotInfo *slot; + Slapi_Entry *entry = NULL; + + /* Get general information */ + + getConfigEntry( configDN, &entry ); + + val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" ); + ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" ); + + /* We are currently using the value of sslSessionTimeout + for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */ + /* Note from Tom Weinstein on the meaning of the timeout: + + Timeouts are in seconds. '0' means use the default, which is + 24hrs for SSL3 and 100 seconds for SSL2. + */ + + if(!val) { + errorCode = PR_GetError(); + slapd_SSL_warn("Security Initialization: Failed to retrieve SSL " + "configuration information (" + SLAPI_COMPONENT_NAME_NSPR " error %d - %s): " + "nssslSessionTimeout: %s ", + errorCode, slapd_pr_strerror(errorCode), + (val ? "found" : "not found")); + slapi_ch_free((void **) &val); + slapi_ch_free((void **) &ciphers); + return -1; + } + + stimeout = atoi(val); + slapi_ch_free((void **) &val); + + if (svrcore_setup()) { + return -1; + } + if((family_list = getChildren(configDN))) { char **family; char *token; @@ -687,6 +707,10 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) #ifndef _WIN32 SVRCOREStdPinObj *StdPinObj; + if (svrcore_setup()) { + return 1; + } + StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj(); SVRCORE_SetStdPinInteractive(StdPinObj, PR_FALSE); #endif @@ -1159,35 +1183,37 @@ slapd_SSL_client_auth (LDAP* ld) /* Free config data */ + if (!svrcore_setup()) { #ifndef _WIN32 - StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj(); - err = SVRCORE_StdPinGetPin( &pw, StdPinObj, token ); + StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj(); + err = SVRCORE_StdPinGetPin( &pw, StdPinObj, token ); #else - AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj(); - pw = SVRCORE_GetPin( (SVRCOREPinObj *)AltPinObj, token, PR_FALSE); + AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj(); + pw = SVRCORE_GetPin( (SVRCOREPinObj *)AltPinObj, token, PR_FALSE); #endif - if ( err != SVRCORE_Success || pw == NULL) { - errorCode = PR_GetError(); - slapd_SSL_warn("SSL client authentication cannot be used " - "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - errorCode, slapd_pr_strerror(errorCode)); - } else { - rc = ldapssl_enable_clientauth (ld, SERVER_KEY_NAME, pw, cert_name); - if (rc != 0) { + if ( err != SVRCORE_Success || pw == NULL) { errorCode = PR_GetError(); - slapd_SSL_warn("ldapssl_enable_clientauth(%s, %s) %i (" - SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - SERVER_KEY_NAME, cert_name, rc, - errorCode, slapd_pr_strerror(errorCode)); + slapd_SSL_warn("SSL client authentication cannot be used " + "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + errorCode, slapd_pr_strerror(errorCode)); } else { - /* We cannot allow NSS to cache outgoing client auth connections - - each client auth connection must have it's own non-shared SSL - connection to the peer so that it will go through the - entire handshake protocol every time including the use of its - own unique client cert - see bug 605457 - */ - - ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE); + rc = ldapssl_enable_clientauth (ld, SERVER_KEY_NAME, pw, cert_name); + if (rc != 0) { + errorCode = PR_GetError(); + slapd_SSL_warn("ldapssl_enable_clientauth(%s, %s) %i (" + SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + SERVER_KEY_NAME, cert_name, rc, + errorCode, slapd_pr_strerror(errorCode)); + } else { + /* We cannot allow NSS to cache outgoing client auth connections - + each client auth connection must have it's own non-shared SSL + connection to the peer so that it will go through the + entire handshake protocol every time including the use of its + own unique client cert - see bug 605457 + */ + + ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE); + } } } |